Let’s start, as expected, with a tedious theory. Unfortunately, without it, the essence of what is happening in the future will not be clear, so I will try to tell you as briefly as possible and in an understandable language.
Privilege tokens are permissions given by the system to a process. For example, if a process has a “SeShutdownPrivilege” token, then it has the right to turn off your computer.If your program does not have this token, it will not be able to perform this action.
Windows Defender uses its privileges to check files. For example, “SeRestorePlivilege”.From this, we conclude that if you deprive the antivirus process of permission to check files, it will become useless and will not be able to perform this very check.Any explanation will become clearer if you translate it from dry text into visualization. Actually, for this reason, I suggest you download Process Hacker and look with your own eyes at the tokens available to a particular process.
Windows Defender is responsible for the process MsMpEng.exe we need to find it in the list and open the Tokens tabHere we notice that the process has many different privileges that are of key importance to it.
As you understand, we will deal with disabling these privileges.This concludes the theoretical part, and we begin to implement the POC.
At the very start, we are already plagued by two problems.
- The process MsMpEng.exe launched on behalf of the System. To edit its tokens, we need to have the user “NT AUTHORITY\SYSTEM”
- To get a SYSTEM, we will need to upgrade, which in turn occurs only from the administrator level.
What do you think?
It is nice to know your opinion. Leave a comment.